December 28, 2009

Web Attacks and Defenses that Could Affect Users in 2010

As users and businesses trust more of their data to the Web, the state of Web application security becomes increasingly important. I talked recently with Jeremiah Grossman, founder and chief technology officer of White Hat Security in Santa Clara, CA, about attacks and defenses that could affect users in the upcoming year.

One key issue, Grossman notes, is that “our security systems are now fragmented and distributed.” For example, for the recent attack on Twitter, hackers didn’t break into Twitter’s site directly. Instead, they gained access to its account with its domain name system (DNS) provider, which is responsible for directing users who type the URL for Twitter’s site to the servers where the site is hosted. An internal security breach at Twitter is believed to have leaked the credentials needed to log in to its DNS account.

“End-users and employees have accounts all over the place,” Grossman says. In many cases, if attackers can get the credentials for one of a person’s accounts, those credentials will work for several other accounts as well. Though this problem has been around for a long time, it’s becoming a greater issue because of the increasing value of the data stored online.

Though experts have traditionally advised against writing passwords down, Grossman says he’s now changed his mind. He advises users to choose a different password for every account and write them all down, saying that the danger that a password doing double duty will be compromised online is greater than the danger of a thief stealing a physical list of passwords.

Besides this ongoing problem, Grossman says, several types of Web attacks are on the rise. In particular, he points to cross-site request forgery, an attack that forces a user to make unintended requests of a site. Malicious scripts hidden in compromised Web pages can exploit user credentials stored in the browser, potentially issuing requests to change passwords or withdraw money from online banking sites.

The news isn’t all bad, however. Grossman says he’s been encouraged by recent developments in Web application firewalls in the cloud, such as the products offered by Akamai. This technology can be used to stop Web-based attacks from reaching a customer’s website. The cloud-based offering should allow the technology “to get mass scale and adoption very quickly,” Grossman says, since many businesses find that trying to install Web application firewalls themselves slows down their performance too much.